aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/avc.c11
-rw-r--r--security/selinux/hooks.c2
-rw-r--r--security/selinux/nlmsgtab.c10
-rw-r--r--security/selinux/ss/services.c4
4 files changed, 20 insertions, 7 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 85a6f66a873f..62b963aca275 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -242,7 +242,7 @@ void __init avc_init(void)
242 avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), 242 avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node),
243 0, SLAB_PANIC, NULL, NULL); 243 0, SLAB_PANIC, NULL, NULL);
244 244
245 audit_log(current->audit_context, "AVC INITIALIZED\n"); 245 audit_log(current->audit_context, AUDIT_KERNEL, "AVC INITIALIZED\n");
246} 246}
247 247
248int avc_get_hash_stats(char *page) 248int avc_get_hash_stats(char *page)
@@ -532,6 +532,7 @@ void avc_audit(u32 ssid, u32 tsid,
532 u16 tclass, u32 requested, 532 u16 tclass, u32 requested,
533 struct av_decision *avd, int result, struct avc_audit_data *a) 533 struct av_decision *avd, int result, struct avc_audit_data *a)
534{ 534{
535 struct task_struct *tsk = current;
535 struct inode *inode = NULL; 536 struct inode *inode = NULL;
536 u32 denied, audited; 537 u32 denied, audited;
537 struct audit_buffer *ab; 538 struct audit_buffer *ab;
@@ -549,12 +550,18 @@ void avc_audit(u32 ssid, u32 tsid,
549 return; 550 return;
550 } 551 }
551 552
552 ab = audit_log_start(current->audit_context); 553 ab = audit_log_start(current->audit_context, AUDIT_AVC);
553 if (!ab) 554 if (!ab)
554 return; /* audit_panic has been called */ 555 return; /* audit_panic has been called */
555 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted"); 556 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
556 avc_dump_av(ab, tclass,audited); 557 avc_dump_av(ab, tclass,audited);
557 audit_log_format(ab, " for "); 558 audit_log_format(ab, " for ");
559 if (a && a->tsk)
560 tsk = a->tsk;
561 if (a->tsk && a->tsk->pid) {
562 audit_log_format(ab, " pid=%d comm=", tsk->pid);
563 audit_log_untrustedstring(ab, tsk->comm);
564 }
558 if (a) { 565 if (a) {
559 switch (a->type) { 566 switch (a->type) {
560 case AVC_AUDIT_DATA_IPC: 567 case AVC_AUDIT_DATA_IPC:
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index aae1e794fe48..db845cbd5841 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3419,7 +3419,7 @@ static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
3419 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm); 3419 err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
3420 if (err) { 3420 if (err) {
3421 if (err == -EINVAL) { 3421 if (err == -EINVAL) {
3422 audit_log(current->audit_context, 3422 audit_log(current->audit_context, AUDIT_SELINUX_ERR,
3423 "SELinux: unrecognized netlink message" 3423 "SELinux: unrecognized netlink message"
3424 " type=%hu for sclass=%hu\n", 3424 " type=%hu for sclass=%hu\n",
3425 nlh->nlmsg_type, isec->sclass); 3425 nlh->nlmsg_type, isec->sclass);
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index b3adb481bc25..f0fb6d76f7c5 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -97,6 +97,7 @@ static struct nlmsg_perm nlmsg_audit_perms[] =
97 { AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 97 { AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
98 { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 98 { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
99 { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, 99 { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
100 { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
100}; 101};
101 102
102 103
@@ -141,8 +142,13 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
141 break; 142 break;
142 143
143 case SECCLASS_NETLINK_AUDIT_SOCKET: 144 case SECCLASS_NETLINK_AUDIT_SOCKET:
144 err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, 145 if (nlmsg_type >= AUDIT_FIRST_USER_MSG &&
145 sizeof(nlmsg_audit_perms)); 146 nlmsg_type <= AUDIT_LAST_USER_MSG) {
147 *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
148 } else {
149 err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
150 sizeof(nlmsg_audit_perms));
151 }
146 break; 152 break;
147 153
148 /* No messaging from userspace, or class unknown/unhandled */ 154 /* No messaging from userspace, or class unknown/unhandled */
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 8449d667b062..b6149147d5cb 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -365,7 +365,7 @@ static int security_validtrans_handle_fail(struct context *ocontext,
365 goto out; 365 goto out;
366 if (context_struct_to_string(tcontext, &t, &tlen) < 0) 366 if (context_struct_to_string(tcontext, &t, &tlen) < 0)
367 goto out; 367 goto out;
368 audit_log(current->audit_context, 368 audit_log(current->audit_context, AUDIT_SELINUX_ERR,
369 "security_validate_transition: denied for" 369 "security_validate_transition: denied for"
370 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s", 370 " oldcontext=%s newcontext=%s taskcontext=%s tclass=%s",
371 o, n, t, policydb.p_class_val_to_name[tclass-1]); 371 o, n, t, policydb.p_class_val_to_name[tclass-1]);
@@ -742,7 +742,7 @@ static int compute_sid_handle_invalid_context(
742 goto out; 742 goto out;
743 if (context_struct_to_string(newcontext, &n, &nlen) < 0) 743 if (context_struct_to_string(newcontext, &n, &nlen) < 0)
744 goto out; 744 goto out;
745 audit_log(current->audit_context, 745 audit_log(current->audit_context, AUDIT_SELINUX_ERR,
746 "security_compute_sid: invalid context %s" 746 "security_compute_sid: invalid context %s"
747 " for scontext=%s" 747 " for scontext=%s"
748 " tcontext=%s" 748 " tcontext=%s"
generated by cgit v1.2.2 (git 2.25.0) at 2024-09-29 10:30:00 -0400